Small and Medium Enterprises (SMEs) are businesses with relatively limited revenue, workforce size, and assets. However, if an SME collects, uses, or discloses personal data belonging to customers, employees, or business partners, it becomes subject to the obligations set out in the Personal Data Protection Act (PDPA). This is because the PDPA stipulates that any business operator who has the authority to make decisions regarding the collection, use, or disclosure of personal data is considered a Data Controller, and therefore has obligations to comply with the law as follows:
SMEs, as Data Controllers, should assess whether they are required to appoint a DPO in accordance with the Notification of PDPC on the Requirements for the Appointment of a Data Protection Officer (DPO) under Section 41(2). A DPO is required if the SME’s core activities involve the collection, use, or disclosure of personal data that necessitates regular monitoring of data or systems, such as activities that systematically and regularly track, observe, or predict individuals’ characteristics, or if such activities involve a large volume of personal data, whether assessed by the number of data subjects, types of data, retention period, or scope of use. In such cases, the organization should appoint a DPO with knowledge and understanding of the PDPA to provide advice, monitor, and oversee personal data processing activities to ensure compliance with data protection law.
Even when not legally required, appointing a DPO can still be beneficial, as it helps ensure proper oversight, provide guidance, monitor data handling, and reduce risks of data breaches in a systematic manner.
Under Section 39 of the PDPA, organizations are required to maintain a Record of Processing Activities (RoPA) documenting details of the collection, use, and disclose of personal data. However, the Notifications of PDPC on Exemptions for small businesses from ROPA requirements allows certain organizations to prepare only partial or simplified RoPA, including:
1. Small and Medium Enterprises (SMEs);
2. Community enterprises or networks of community enterprises;
3. Social enterprises or social enterprise groups;
4. Cooperatives, cooperative federations, or farmer groups;
5. Foundations, associations, religious or non-profit organizations; and
6. Family businesses or other similar businesses.
However, if the business is a service provider required to retain computer traffic data (excluding internet cafés), or if it involves the collection, use, or disclosure of personal data that poses risks to the rights and freedoms of data subjects, including cases where such processing is not occasional or involves sensitive personal data under Section 26, it shall not fall under the above exemption. In such cases, the organization remains obliged to prepare and maintain a full Record of Processing Activities (RoPA).
Before or at the time of collection, SMEs are required under Section 23 of the PDPA to inform data subjects of the details relating to the collection, use, and disclosure of their personal data. This can be done through a Privacy Notice, which should include:
1. The purposes and legal bases for processing personal data
2. Types of personal data collected
3. Retention period
4. Data transfers or disclosures
5. Security measures
6. Rights of the data subject
7. Contact details of the Data Controller
The Privacy Notice should be easy to read, clear, and easily accessible, such as on a website, job application forms, or applications.
Consent is one of the legal bases for processing personal data under the PDPA. used in two main situations:
1) Processing general personal data when no other legal basis under Section 24 applies
The PDPA provides 7 legal bases for the processing of personal data, namely research, statistics, and historical archives; vital interests; contract; public task; legitimate interest; legal obligation; and consent. Consent should be considered as a last resort when no other legal basis is applicable, as data subjects may withdraw their consent at any time, resulting in additional obligations for the Data Controller in managing consent.
2) Processing sensitive personal data under Section 26, such as data relating to race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union membership, genetic data, or biometric data, unless an exemption from consent applies, including:
Consent, whether for general or sensitive personal data, must be obtained before or at the time of collection. Such consent must be clear and unambiguous, specify explicit purposes, be clearly separated from other information, and be presented in plain and easily understandable language. Consent must be given freely, without deception or misleading practices, and must not be made a condition for entering into a contract or receiving a service
To prevent the loss of, unauthorized access to, use of, alteration, modification, or disclosure of personal data, SMEs should establish policies for the retention and protection of personal data in accordance with the PDPA. Such measures should include physical safeguards, such as secure document storage, locking systems, and access restrictions; technical safeguards, such as the use of encrypted data storage systems, regular data backups, and two-factor authentication for system access; as well as organizational measures, including employee training to ensure awareness of the importance of personal data and basic data protection practices, such as avoiding the transmission of data through insecure channels and refraining from opening attachments from unknown sources.
Where SMEs, acting as Data Controllers, disclose personal data to external parties that act as Data Processors, they must enter into a Data Processing Agreement (DPA) in accordance with Section 40 of the PDPA in order to define the scope of personal data processing.
Likewise, where SMEs disclose personal data to external parties that act as Data Controllers, they must enter into a Data Sharing Agreement (DSA) to define the scope, duties, and responsibilities of both parties.
The PDPA recognizes and protects the rights of data subjects. Accordingly, SMEs should establish appropriate channels and procedures for handling requests to exercise data subject rights, in order to enable data subjects to exercise their rights as provided by law. Such rights include:
1. Right to be informed
2. Right to withdraw consent
3. Right of access
4. Right to rectification
5. Right to erasure
6. Right to restrict processing
7. Right to data portability
8. Right to object
Data Controllers may refuse to comply with a request in certain circumstances where there are lawful grounds to do so.
In the event of a personal data breach or a personal data protection incident, the PDPA requires the Data Controller to conduct a risk assessment. Where SMEs determine that the breach involves a risk, they must notify the Office of the Personal Data Protection Committee (PDPC) within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, SMEs must also notify the affected data subjects.
In conclusion, compliance with the PDPA is a crucial responsibility for all SMEs that collect, use, or disclose personal data. Establishing appropriate documentation, internal procedures, data security measures, and systematic mechanisms for responding to data subject rights will help businesses reduce legal risks, enhance credibility, and build long-term trust among employees, customers, and business partners.
